On October 26, 2017, President Trump directed the Secretary of the Department of Health and Human Services (“Secretary”) to declare a National Public Health Emergency on the opioid epidemic. While the President offered few details regarding how his administration will address the challenge of treating patients struggling with opioid addiction, a previous statement from the White House indicated that the Administration plans to expand access to treatment via telemedicine and more specifically, remote prescribing of the necessary controlled substances used to treat these patients. While this is a logical step, and one that has been advocated at length by states and health care experts, alike, expanding health care providers’ capabilities to utilize remote prescribing to treat opioid addiction will likely run afoul of existing federal law.

The Ryan Haight Online Pharmacy Consumer Protection Act (“Act”) was passed by Congress in 2008 following the death of Ryan Haight, an 18-year-old honor student who overdosed on prescription narcotics delivered to his door by an internet pharmacy based on a prescription written by a physician he had never seen. The Act amended the federal Controlled Substances Act and requires a prescribing practitioner to be physically present when prescribing, or allowing to be prescribed by a remote practitioner, a controlled substance, if the prescribing practitioner has not previously conducted an in-person physical examination of the patient. However, some have viewed the Act as establishing a significant barrier to the progress of telemedicine. In the words of former Rep. Mary Bono (R-Calif.), “the issue back then is very different from what the issue has become.”

Today, telemedicine has exploded. In just the last year, nearly every state has enacted new legislation that either expands access to telemedicine services, expands parity for reimbursement for telemedicine services, and/or loosens previous restrictions on telemedicine interactions (e.g., establishing practitioner-patient relationships) and remote prescribing. In stark contrast, the federal government has made little to no attempt to modify the antiquated Act to keep up with the telemedicine advancements since it was passed in 2008. Practitioners must now navigate their telemedicine practices around the Act since there are few exceptions to the Act and violations of the Act are considered violations of the Controlled Substances Act, which include fines, penalties, disbarment, and incarceration. With such stiff consequences and the lack of guidance or regulatory measures promulgated by the Drug Enforcement Agency, practitioners are unlikely to prescribe drugs to treat opioid-addicted patients that are most vital to their treatment.

Ironically, the World Health Organization deemed methadone and buprenorphine, two controlled substances, to be “essential medicines” in the treatment of opioid addiction. Studies have shown strong inverse linear association between heroine overdose deaths and patients being treated with opioid agonist treatments, including methadone and buprenorphine. As such, the ability to treat patients effectively through telemedicine and remote prescribing will often require prescribing drugs currently prohibited for such prescription. This realization has come to many policy makersand telemedicine organizations. Most of these individuals and organizations have called for amendment or repeal of the Act; however, one possible interpretation of the Act could allow for remote prescribing of controlled substances to treat opioid addiction under the telemedicine public health emergency declaration exemption of the Act.

Within the Act, Section 802(54)(D) (21 U.S.C. 802(54)(D)) permits the remote prescribing of controlled substances “during a public health emergency declared by the Secretary” and to the extent that the prescribing “involves patients located in such areas, and such controlled substances, as the Secretary, with the concurrence of the Attorney General, designates . . . .” On October 26, 2017, the Secretary, as directed by the President, issued the following statement regarding the public health emergency:

As a result of the consequences of the opioid crisis affecting our Nation, on this date and after consultation with public health officials as necessary, I, Eric D. Hargan, Acting Secretary of Health and Human Services, pursuant to the authority vested in me under section 319 of the Public Health Service Act, do hereby determine that a public health emergency exists nationwide.

Although a declaration of a public health emergency normally includes specific geographic parameters rather than blanket “nationwide” issuance, based upon the Secretary’s declaration, one could argue that health care practitioners seeking to treat patients dealing with opioid addiction now must only await the list of controlled substances (to be issued by the Secretary and the U.S. Attorney General) before they are able to remotely prescribing controlled substances to treat opioid addiction. However, even if the Attorney General were to agree with this interpretation of Section 802(54)(D)’s application and to provide a list of controlled substances that can be prescribed thereunder, 42 U.S.C. 247d only permits a declaration of a “public health emergency” to be in place for a maximum of 90 days. Therefore, utilizing Section 802(54)(D) to allow remote prescribing to treat opioid addiction through telemedicine will only serve as a temporary patch, while the bigger issue of amending the Ryan Haight Act needs to be addressed by Congress. In the words of Ms. Bono, “if the Ryan Haight Act needs to be updated, then let’s update it.”

The United States Department of Health and Human Services (“HHS”) Office of the Inspector General (“OIG”) recently updated its FY 2017 Work Plan. Traditionally, OIG’s annual Work Plan has given health care providers a preview of OIG’s enforcement priorities. With the OIG now making updates to its Work Plan on a monthly basis, providers stand to gain even more insight into how the focus of OIG is constantly shifting in order to assist in the identification of significant compliance risk areas.

In this most recent set of updates to the FY 2017 Work Plan, OIG announced that it will conduct a review of Medicare claims paid for telehealth services in FY 2017. Specifically, OIG is interested in reviewing claims for telehealth services provided at “distant sites” (i.e., the location of the provider of the telehealth service) that do not correspond with claims from an “originating site” (i.e., the location of the patient). By undertaking this review, presumably OIG seeks to verify that providers of telehealth services are: (1) appropriately rendering these services to Medicare beneficiaries based on current reimbursement rules under Medicare for provision of telehealth services (i.e., the beneficiary is at a valid originating site when receiving the telehealth service, which under current Medicare rules does not include a beneficiary’s home), and (2) not submitting fraudulent claims for telehealth services (i.e., services delivered outside of Medicare’s coverage and reimbursement scope). OIG’s review of these claims may demonstrate the need to update Medicare’s outdated coverage and reimbursement provisions for telehealth services.

Medicare’s Current Coverage of and Reimbursement for Telehealth Services

Medicare beneficiaries only may receive telehealth services while physically situated at one of eight “originating site[s],” none of which include the patient’s home—those living in geographically-restricted areas are still obligated to access a medical originating site in order to activate Medicare coverage.

Only eight types of practitioners may deliver the telehealth services to Medicare beneficiaries, and must do so from a qualified “distant site.”

In recent years, federal lawmakers have been working to lessen the constraints on Medicare Part B coverage of and reimbursement for telehealth services.

In August 2016, HHS published a Report to Congress on “E-Health and Telemedicine.” In this report, HHS expressed its support for telehealth expansion and its importance in the health care industry: “[T]elehealth holds promise as a means of increasing access to care and improving health outcomes.” Congress has seemed to take note. In the 2017–2018 legislative session, four key bills have been introduced that, if passed, would improve coverage of and reimbursement for telehealth services under Medicare:

The CHRONIC Care Act of 2017 (S. 870) would make four key changes to Medicare: (1) provide coverage and reimbursement for RPM delivery of home kidney dialysis assessments; (2) provide nationwide coverage and reimbursement for “telestroke” consultations (not just those that occur in rural hospitals or other originating sites); (3) eliminate the geographic restriction of an originating site for Accountable Care Organization (“ACO”) beneficiaries, thus allowing patients to receive home telehealth services; and (4) allow Medicare Advantage plans to offer telehealth benefits in annual bid amounts, instead of using rebate dollars to pay for telehealth as a “supplemental service.” The CHRONIC Care Act recently received a favorable, budget neutral Congressional Budget Office (“CBO”) score—alleviating a traditionally difficult roadblock for telehealth legislation.

The Medicare Telehealth Parity Act of 2017 (H.R. 2550) would provide an incremental expansion of coverage for telehealth services under Medicare by expanding the number of acceptable geographic locations for telehealth coverage under three “phases.”

The HEART Act (H.R. 2291) aims to increase Medicare coverage of telehealth services, including coverage and payment for store-and-forward services delivered to “any telehealth services that are furnished from a distant site, or to an originating site, that is a critical access hospital . . ., a rural health clinic . . ., or a sole community hospital” and for home-based monitoring of congestive heart failure and chronic obstructive pulmonary disease. These three bills have not yet been scored by the CBO.

While it remains to be seen whether any of these bills (or any others) will become law, the level of legislative activity still is promising—and particularly so in conjunction with HHS’s support for telehealth—that expansion of telehealth coverage and reimbursement under Medicare can make greater strides toward improving access to these services for Medicare beneficiaries.

Added to this, OIG’s recent updates to the FY 2017 Work Plan to include a review of telehealth reimbursement claims under Medicare may further accelerate this process if OIG identifies any pertinent potential risk areas related to provision of telehealth services.

This post was written with assistance from Matthew Sprankle, a 2017 Summer Associate at Epstein Becker Green.

The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities. While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.

Physicians Integrate Mobile Technology Into Daily Practice

The Physicians Practice’s2014 Technology Survey found that only 31 percent of more than 1,400 survey respondents reported implementing policies and rules to address bring your own device (“BYOD”) practices. With more than 80 percent of doctors using mobile devices at work and integrating their personal devices into their professional practice, these devices could potentially represent a significant privacy and security risk.

Traditional Safeguards Undermined By “Anywhere” Access

The HIPAA Security Rule applies when any protected health information (PHI) is accessed and communicated through a mobile device, such as texting a patient’s name and phone number for follow-up calls. In the annual OCR report to Congress on breaches of unsecured PHI for calendar years 2011 and 2012, OCR reported that information loss or theft from mobile devices was among the top three sources of breached PHI in 117 of the 222 reported breaches in 2012. Additionally, the Physicians Practice’s 2014 Technology Survey indicated that only 61 percent of the respondents surveyed reported securely backing data on a second server or via another method, thereby not complying with the HIPAA Security Rule which requires covered entities to create and maintain retrievable copies of electronic protected health information (ePHI).

OCR Enforcement Areas, Especially Among Small Breaches, Continue to Grow

OCR officials routinely remind covered entities and business associates to understand their obligations with respect to mobile device security – obligations that continue to become more complex to satisfy as the use of mobile technology in the workplace proliferates. Simultaneously, OCR continues to increase enforcement of data breaches by entities subject to the HIPAA Security Rule. Significantly, this enforcement expansion has included smaller entities and breaches affecting fewer than 500 individuals. OCR expects HIPAA Security Rule enforcement to continue its trend and increase going forward in 2014

Be Prepared

Physician practices and health care entities should conduct a thorough risk assessment which addresses the use of mobile devices and storage of mobile device data in their environment. Additionally, policies and procedures should be developed to manage the risk associated with mobile devices to a business tolerable level. Risk management plans and security evaluations should be updated and conducted periodically. Additionally, physician practices and health care entities must remember that their business associates must also comply with the HIPAA Security Rule. Thus, some diligence on the use of mobile devices in their business associates environment is advisable. In practice, over 20 percent of HIPAA data breaches have been traced to noncompliant business associates. While the risk may be significant, with proper staff training to identify and address questionable HIPAA behaviors, physician practices and health care entities can minimize the risk of OCR enforcement and large settlement costs associated with mobile devices.

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.

Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.

While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.

Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:

1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.

2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.

3)Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.

What Your Company Can Do

The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.

Risk Assessment

A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.

Invest in Data Security

Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.

Improve Audit Controls

HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.

Conduct Breach Drills

Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.

For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ

With the New Year, come new protections for health care entities and individuals utilizing electronic health records (EHRs). On December 27, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS), issued final rules regarding the Stark Exception and the Anti-Kickback Safe Harbor permitting certain health care organizations to subsidize up to 85% of the donor’s cost of certain EHR items and services (the “Final Rules”). The Final Rules amended the 2006 original rule (the “Original Rule”). The Final Rules:

Extend the expiration of the protections from December 31, 2013 to December 31, 2021;

Exclude laboratory companies from the list of eligible “Protected Donors” that may donate EHR items and services;

Update the provisions under which an EHR donor or recipient can ascertain, with certainty, that EHR is interoperable;

Remove requirements that donated EHR include e-prescribing capabilities; and

Clarify the requirement prohibiting any action that limits or restricts the use, compatibility, or interoperability of donated EHRs.

SUNSET PROVISION

Under the Original Rule, EHR donation regulations were set to expire on December 31, 2013. The Final Rules extend the expiration of the protections until December 31, 2021.

LABORATORY EXCLUSION

As a change from the Original Rule, the protections under the Final Rules no longer extend to laboratory companies as a type of entity that may donate EHR items and services. However, this exclusion under the Final Rules does not apply to hospitals who furnish clinical laboratory services through a laboratory that is a department of the hospital. It should be noted that a hospital-affiliated or hospital-owned company that furnishes laboratory services, which have a billing number assigned to the company as opposed to the hospital, would be excluded from the protections under the Final Rules.

INTEROPERABILITY

The Original Rule required that donated or subsidized software be “interoperable”. The rule stated that software is interoperable if a certifying body recognized by the Secretary of the Department of Health and Human Services certified the software within 12 months of the time it was provided to a physician. Under the Final Rules, software is deemed to be interoperable if, on the date it is provided to the physician, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology to an edition of EHR certification criteria. Significantly, the protections under the Final Rules are not limited to donations to individuals and entities eligible to participate in the EHR Incentive Programs (the “Meaningful Use Program”), but also extend to other entities and individuals if the donations meet the conditions of the safe harbor.

DATA LOCK-IN AND EXCHANGE

In order to foster the free exchange of data, the Final Rules have made limited clarifications to require that a donor not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems. The Final Rules included examples, making it clearer that this prohibition applies to any donor action that limits the use of donated software with any other health information technology.

ELECTRONIC PRESCRIBING

The Original Rule required that donated software contain an electronic prescribing capability. However, under the Final Rules, effective March 27, 2014, the requirement that the donated software contain an electronic prescribing capability has been eliminated.

THE WINNERS AND LOSERS

The Final Rule attempts to strike the right balance between competing interests. On the one hand, the Final Rule seeks to foster continued adoption of EHRs and increased interoperability, which are ongoing goals within CMS, ONC and much of the healthcare industry. On the other hand, OIG has shifted its position to better control risks associated with misuse of EHR donation by certain entities that seek to secure kickbacks. Recognizing these competing concerns, OIG has extended the safe harbor and improved alignment with ONC to ensure companies have better guidance to meet the interoperability requirements. Therefore many organizations emerge as winners under the Final Rule, including EHR vendors, protected EHR donors and EHR recipients. However, laboratory companies are at a significant loss as a result of OIG’s tightening of the definition of “Protected Donor”.

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially. To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards. Health care companies also have resources to assist them with managing this risk. Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules. Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.

The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act. Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace. As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards. Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.

Lack of Insight into Industry Security Compliance

According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011. Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.” As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.

OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.” Going forward, however, Rodriguez said he expects that OCR “will leverage more civil penalties” and that OCR will be permitted to use collected penalties to fund enforcement actions and “to maximize funding [for] our auditing and breach analysis” activities. OCR has already committed $4.5 million from monies it collected from prior enforcement actions.

Interestingly, this is not to suggest OCR has not been active in promoting security compliance. For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations. Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended. In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.

OCR is Transforming into OIG

As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model. OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG’s fraud enforcement now needs to be applied in the HIPAA environment.” Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.

Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement. According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance. Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.

In short, the health care industry should expect even more audits and enforcements in the future.

Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered. It seems to be business as usual, as your health care organization continues to digitize its operations. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive patient information.

Unfortunately, this scenario is commonplace, and brings with it hefty costs. To the extent electronic protected health information (“e-PHI”) is compromised in a cyber security breach, health care entities can expect to spend on average $233 per record to clean up the problem. As health care operations digitize, organizations should be cognizant of the cyber security risks impacting the data that flows through their systems. Further, health care entities need to understand how to assess and manage these risks to meet Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”) requirements.

Even given what we know, much of cyber security related breaches remains uncertain. There are namely two reasons for this uncertainty:

Most cyber security breaches go undetected; and

Many cyber security breaches go unreported.

Across all industries, one report asserted that approximately 69% of cyber security breaches go undetected. Of those breaches that are detected, 94% are unreported until months or longer until finally being discovered. Yet, there is one certainty in this climate—There are only two types of organizations: those that have already been hacked and those that will be at some point . . . .

Why cyber security is important now more than ever…

Recently, there has been increased scrutiny given the increased risk of data breaches. The Health and Human Services, Office of Civil Rights (“OCR”) has responded to data breaches by aggressively enforcing HIPAA, which reinforces that compliance with HIPAA requirements is a top priority. Chiefly, the HIPAA breach notification rule was amended to lower the reporting threshold from a “risk of harm” standard to a “probability of compromise” standard. As a result, the health care industry will see increased breach reporting, which will likely result in increased enforcement for noncompliance. This is bad news for health care companies because penalties for noncompliance with HIPAA have also been ramped up under the HIPAA Final Rule promulgated under HITECH.

With an increased focus on data breaches under HIPAA and HITECH, health care organizations don’t want to be the last to know how their e-PHI is being compromised. Not understanding the organizations cyber security threats can be:

Bad for patients because it can lead to identity theft;

Bad for the organization because regulators may use that as evidence of noncompliant security practices; and

Lead to noncompliance with reporting obligations under HIPAA and HITECH.

In addition to increased enforcement on the part of OCR, the FBI has joined the effort to investigate cyber security breaches. For example, in October 2013, the FBI opened an investigation of a cyber security breach affecting a network of hospitals and clinics, in which someone gained unauthorized access to the medical records of up to 1,800 patients.

The FBI also recognized that collaborative efforts are needed to solve the cyber security problem. These include investigating insider threats, detecting external threats, and informing the health care industry of cyber security threats. However, even with these collaborative efforts, health care organizations must be cognizant that assistance from the FBI could lead to increased scrutiny about the organization’s security practices. As such, proactive cyber security risk management is the best approach to ensure compliance with HIPAA and HITECH.

What can you do…

The stakes are getting higher regarding cyber security and HIPAA compliance. However, there are several steps health care organizations can take to protect against cyber security data breaches. Further, taking these steps can protect health care companies in the context of increasing investigatory activity on the part of OCR and other agencies, such as the FBI.

Second, health care organizations should evaluate whether the draft cyber security framework established by the National Institute of Standards and Technology (“NIST”) can improve the organization’s risk management process. The NIST cyber security framework contains five core elements, which help an organization:

The framework’s core elements then further subdivide into categories and subcategories and provide cross-references to a number of different standards from industry and government that address each subcategory within those functions. Health care organizations can review these references and select the standard that best addresses the organization’s particular needs. Note that the cyber security framework is currently open for discussion, which means the components may change when the framework is finalized.

Ultimately, as the health care industry continues to digitize, organizations must be cognizant of the cyber security risks affecting their networks, systems and data. Further, as the number of cyber security related breaches increases, health care companies must prepare to identify and report such breaches as required by HIPAA and HITECH. Yet, to avoid the pain and cost of recovering from a breach and also paying hefty fines for noncompliance with HIPAA, health care companies should proactively leverage HIPAA risk analyses (potentially incorporating the NIST cyber security framework) to identify, prioritize, mitigation and monitor risk affecting ePHI.

The business case supporting text messaging in a health care environment is compelling – it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery. As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI), providers are potentially exposing themselves to regulatory liabilities arising under the Health Information Portability and Accountability Act (HIPAA).

Currently, there is a great deal of uncertainty around whether “HIPAA-compliant” texting of ePHI can be accomplished. Even greater confusion exists around whether certain texting platforms themselves can be “HIPAA-compliant”. Before you start to send ePHI via text message, there are a number of issues to consider.

The Bad:

Texting: Done Two Ways . . .

“Texting”, in the colloquial sense, has become an umbrella term for the entire category of mobile, asynchronous, instant communication between two or more parties. The first category of texting is what most people use today. This category is the traditional, wireless carrier-based text messaging, known as Short Message Service (SMS) text messaging. Here, users exchange messages between mobile devices over a cellular network. Most cellphones and smartphones in the U.S. market have an SMS text message capability, and it is a relativity simple push technology that can be used by people who are not tech-savvy. These benefits of SMS illustrate the broad reach of this technology.

The second category of texting is application-based instant messaging whereby users exchange messages over the internet between web-enabled devices. In essence, users download stand-alone applications to their mobile devices, create accounts with unique login credentials, and then send and receive text messages between accounts using the application interface. In light of challenges posed by HIPAA, many companies have developed application-based texting platforms, which are now branded as “HIPAA-compliant”. A number of these texting platforms allow for encryption of messages as well as secure login at the application level. However, the reach of these texting applications is somewhat narrower than traditional SMS text messaging for a few reasons. First, these texting applications typically run on smartphones, but are not universally available on ordinary cellphones. Second, use of the applications may be limited if the user is not tech-savvy. Nonetheless, these application-based texting platforms provide powerful tools to share ePHI.

Before you choose to use SMS text messaging or even a “HIPAA-compliant” application-based texting platform to send or receive ePHI, proceed with caution. First, note that no particular “texting” platform can be, in and of itself, “HIPAA-compliant.” Second, text messaging presents a litany of privacy and security challenges which must be addressed before texting ePHI.

The Ugly:

The Trouble with SMS Texting . . .

By virtue of how it is generated, transmitted, stored, and viewed, traditional SMS texting presents several obstacles to HIPAA compliance. Some of the key obstacles include the following and are explained below:

SMS text messages are transmitted in clear text;

SMS text messages are not encrypted;

Senders cannot authenticate recipients;

Recipients cannot authenticate senders; and

ePHI can remain stored on wireless carrier servers.

Of particular note, SMS text messages are currently not secured through encryption. This potentially allows unauthorized third parties to get access to and view the content of SMS text messages associated with certain individually-identifiable information.

It is also difficult to know who generated a text message or even whether it is ending up in the right place. Recognizing some of these authentication issues prompted the Joint Commission to explicitly restrict text messaging. Indeed, the Joint Commission stated that it is unacceptable for “physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting[s].” This, however, does not amount to a complete ban on text messaging of ePHI, and leaves open the possibility of other appropriate ways to utilize texting to share ePHI.

Finally, ePHI sent via SMS text message can end up being stored in places outside the control of the sender or the recipient. This can create an unmanageable risk in the context of data breach. For example, SMS text messages reside on telecommunications servers for some time before and after being transmitted to a recipient’s phone. As such, a breach of the telecom servers could allow unauthorized individuals to access or view the ePHI.

These risks render SMS text messaging a difficult avenue for the transmission of ePHI.

Despite these obstacles, is there a way to leverage text messaging while complying with HIPAA?

First and foremost, HIPAA does not explicitly prohibit the use of SMS text messaging to transmit ePHI. Rather, the HIPAA Security rule requires Covered Entities and Business Associates acting on their behalf to implement administrative, physical and technical safeguards if engaged in the transmission or storage of ePHI. While HIPAA does not prescribe specific safeguards to use to protect ePHI sent via text message, it does provide a framework to assess and mitigate risks associated with such transmissions. For example, key technical safeguards included within the HIPAA Security Rule that should be considered before texting ePHI include the following controls:

Unique User Identification;

Automatic Logoff;

Encryption/Decryption;

Auditing;

Integrity Management;

Authentication; and

Transmissions Security.

Further, to comply with HIPAA, those who want to send ePHI via text must conduct a risk analysis. A risk analysis consists of “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Thus, prior to employing SMS or application-based texting, the risks associated with either should be addressed.

In short, HIPAA compliance is achieved by implementing reasonable and appropriate safeguards and conducting a risk analysis on a periodic basis.

Text messaging continues to offer a simple, attractive, and cost effective way to communicate ePHI. As a result, text messaging solutions will continue to enter the market place. Yet, text messaging solutions carry a great deal of risk stemming from various threats and vulnerabilities. Before utilizing text messaging, these risks must be evaluated and effectively managed to ensure compliance with HIPAA and avoid the potential for unauthorized use or disclosure as well as data breach.

Before initiating treatment, health care providers must generally obtain their patients’ informed consent. The purpose of the informed consent process is two-fold. First, it allows patients to gain an understanding of the risks and benefits of the proposed treatment, and alternative courses of action. Second, it helps shield providers from legal exposure.

A formal informed consent process is particularly critical for procedures that carry a high risk of patient injury. When considering such “high-risk” procedures, neurosurgery or radiation therapy may come to mind. However, in the practice of telehealth, reliance on imperfect technological tools, as well as the “distance” factor, can propel otherwise routine treatments into a higher risk category.

The Risks of Telehealth Practice

One important telehealth-specific risk is the possibility of technological hiccups and failures. Computers, tablets, cell phones, web cameras, and electronic health records represent just a sampling of the technology-based tools used by telehealth providers. While these technologies can improve and advance patient care, they can also falter, impairing the medical evaluation and treatment process and threatening patient safety. For example, transmission errors can occur when telehealth providers receive patient data electronically (such data may include patient records, x-rays, and medical device print-outs). These errors can delay patient treatment and even give rise to dangerous misdiagnoses.

Beyond transmission errors, the remote nature of telehealth practice can create additional risks. For instance, a patient being evaluated by a distant, off-site provider may not be able to tell who is present in the room at the distant provider’s site (i.e., medical or non-medical personnel may be present and within listening distance, but not captured by the camera’s view). This is a clear privacy concern for patients, who may not want such “hidden” third parties to have access to their personal health information.

The remote nature of telehealth practice can also increase patient risk because distant providers cannot perform comprehensive physical examinations. Without completing a hands-on examination, the distant provider’s ability to offer a complete and accurate evaluation of the patient’s condition may be limited.

State legislatures are starting to take note of these telehealth-specific risks. In fact, a few states have already passed laws that require providers to obtain a patient’s informed consent before delivering telehealth services.

State Implementation of Telehealth-Specific Consent Laws

To date, state approaches to telehealth-specific consent laws have varied. For example, in Nebraska, telehealth providers must obtain patients’ written informed consent prior to an initial telehealth consultation. Conversely, under both California and Arizona law, a patient’s verbal consent to the use of telehealth care satisfies the statutory informed consent requirement. In Texas, telehealth providers are required to obtain patients’ informed consent prior to delivering telehealth services, but the relevant statute does not specify the required form of the consent. In at least one state, Oklahoma, legislators have gone above and beyond simply requiring informed consent for telehealth services. The Oklahoma telehealth statute establishes a detailed consent framework, laying out the specific types of information that telehealth providers must give to patients.

Although telehealth-specific consent laws are currently confined to only a small minority of states, all telehealth providers should take heed. No matter the jurisdiction, failure to properly obtain a patient’s informed consent before initiating telehealth services can increase a provider’s risk of facing consent-based negligence claims (an explanation of the elements of an informed consent claim can be found here).

Mitigating the Risk of Consent-Based Claims

To prepare for the possibility of facing a consent-based claim (which will often accompany a medical malpractice claim), telehealth providers may consider incorporating a more thorough informed consent process into their overall risk mitigation strategy. For example, providers can improve their documentation of the informed consent process by drafting a telehealth consent form, or a telehealth addendum to a more traditional consent form that they might already use. While some providers, such as those practicing in Oklahoma, may need to adhere to specific state requirements regarding the content of these telehealth-specific forms, there are several general categories of information that all providers may consider including, such as:

Language introducing and explaining the telehealth process in a way that patients can easily understand;

Description of the expected risks and benefits of telehealth services; and

Other information necessary for the patient to have a complete understanding of the telehealth process (i.e., available alternatives, referral information for a local provider, etc.).

Although telehealth providers cannot possibly avoid all practice risks, they can limit their exposure by taking a proactive approach to the informed consent process. Key aspects of such an approach are likely to include disclosure of all material facts necessary for patients to make an informed decision about moving forward with telehealth care and careful documentation of the consent process. From a risk standpoint, providers who take these steps will be well positioned to adapt to emerging new technologies and the continuously expanding scope of services being offered via telehealth.

In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws. However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA. Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s privacy requirements should also be on your radar.

The means by which the FTC regulates privacy is the FTC Act, a consumer protection law that gives the FTC authority to go after “unfair or deceptive acts or practices” in or affecting commerce. An unfair practice is a practice that is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The FTC is becoming more aggressive in its application of the FTC Act against mobile and information technology companies, wringing settlements from companies such as Google and Facebook, but also filing enforcement actions against smaller entities for data breaches and inappropriate privacy practices. In February 2013, for example, the FTC announced a settlement with Path, Inc. (“Path”), a social networking application available as an app. Path gave its users three options to search for additional friends to invite to join Path. One of these options was to allow Path to browse through the users mobile device contacts; the others were to search Facebook, or to allow the user to send SMS messages to friends. No matter which option the user selected, Path searched through the user’s mobile contacts and stored the information, which included names, addresses, birthdays, etc., on Path’s servers. By contrast, Path’s privacy policy stated that Path only collected its users’ IP addresses and assured users that Path protected their privacy. The FTC alleged that this discrepancy constituted an unfair and deceptive trade practice because Path’s users were not presented with any meaningful choice regarding how much information was collected and were deceived by the company’s practices which contradicted their privacy statement.

Also in February 2013, the FTC reached a settlement with HTC America, Inc. (“HTC”), a manufacturer of mobile phones. The FTC alleged that HTC engaged in unfair security practices when the modification it made to the operating systems of its devices created security vulnerabilities. Specifically, HTC’s modifications allowed certain applications already on a user’s device to download other applications without the user’s consent. HTC also failed to deactivate the “debug” code on its devices, which meant that HTC devices could record and make logs of each user’s internet activity and make those logs available to HTC, or to any application on the user’s device with permission to read the logs. Again, the FTC charged HTC with misleading representations because HTC’s user manuals and mobile device interfaces suggested that consumer data would not be disclosed to third parties without consumer permission.

Some insights on the FTC’s approach to privacy can be distilled from these two enforcement actions. First, the FTC expects companies to provide users with meaningful choices in the amount of sensitive information that is shared with the company. Default settings should maximize privacy protections. Second, the FTC appears to be taking the position that the FTC Act allows it to determine appropriate security standards for mobile devices, and that it expects companies to provide users with technically secure products. Applications or devices that are unreasonably susceptible to unauthorized third-party manipulation could be considered unfair trade practices. Finally, and perhaps, most importantly, the FTC may consider a company’s failure to comply with its stated privacy policies as misrepresentation and a deceptive trade practice.

If you are an mhealth company with access to personal information, at a minimum you should have privacy and security policies in place and be taking steps to ensure that you are not engaging in activities that violate your own policies.